/mandos/trunk : revision 1090

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to intro.xml

Committer: Teddy Hogeborn
Date: 2019-03-30 07:03:04 UTC
Revision ID: teddy@recompile.se-20190330070304-dqgch62lsaaygg46

mandos-ctl: Refactor D-Bus operations

* mandos-ctl (dbus): Rename imported module to "dbus_python".
  (main): Only create a bus object and do everything via that object.
  (get_mandos_dbus_object): Remove and move code into dbus or
                            dbus_python_adapter namespaces.
  (if_dbus_exception_log_with_exception_and_exit): - '' -
  (SilenceLogger): - '' -
  (dbus): New; move everything dbus-specific into this module-like
          namespace.
  (dbus_python_adapter): New; move everything specific to the
                         dbus-python D-Bus module into this
                         module-like namespace.
  (command.Base.run): Take only a bus argument; use only that.  Pass
                      "client" argument as a D-Bus object path string,
                      not a dbus-python proxy object.  All derivatives
                      adjusted.
  (command.IsEnabled.is_enabled): Remove.
  (command.Approve, command.Deny, command.Remove,
  command.PropertySetter): Do no logging of D-Bus commands, and use
  only bus, not client, to do D-Bus calls.
  (command.DumpJSON.dbus_boolean_to_bool): Remove; move filtering to
                                           dbus_python_adapter.
  (command.Enable, command.Disable, command.StopChecker,
  command.ApproveByDefault): Use normal Python booleans instead of
  dbus-python's special Boolean types.
  (Unique): New; move here out from inside TestPropertySetterCmd.
  (Test_get_mandos_dbus_object): Remove.
  (Test_get_managed_objects): - '' -
  (Test_dbus_exceptions): New.
  (Test_dbus_MandosBus): - '' -
  (Test_dbus_python_adapter_SystemBus): - '' -
  (Test_dbus_python_adapter_CachingBus): - '' -
  (Test_commands_from_options): Don't create mock client proxy
  objects, define dict of client properties and use a mock dbus to
  verify that the correct D-Bus calls are made.  Also remove any types
  specific to dbus-python.
  (TestEnableCmd, TestDisableCmd, TestStartCheckerCmd,
  TestStopCheckerCmd, TestApproveByDefaultCmd, TestDenyByDefaultCmd):
  Use normal Python booleans instead of dbus-python's special Boolean
  types.
  (TestPropertySetterValueCmd.runTest): Remove; unnecessary.

files added:
bugs.xml

debian/mandos-client.examples

debian/mandos-client.templates

debian/mandos.templates

debian/upstream

debian/upstream/signing-key.asc

initramfs-tools-conf

initramfs-tools-script-stop

initramfs-unpack

mandos-to-cryptroot-unlock

mandos.service

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

intro.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY TIMESTAMP "2012-01-01">

<!ENTITY TIMESTAMP "2019-02-10">

<!ENTITY % common SYSTEM "common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

The computers run a small client program in the initial RAM disk

environment which will communicate with a server over a network.

All network communication is encrypted using TLS. The clients

are identified by the server using an OpenPGP key; each client

are identified by the server using a TLS public key; each client

has one unique to it. The server sends the clients an encrypted

password. The encrypted password is decrypted by the clients

using the same OpenPGP key, and the password is then used to

using a separate OpenPGP key, and the password is then used to

unlock the root file system, whereupon the computers can

continue booting normally.

</para>

<title>INTRODUCTION</title>

<para>

<!-- This paragraph is a combination and paraphrase of two

quotes from the 1995 movie “The Usual Suspects”. -->

You know how it is. You’ve heard of it happening. The Man

comes and takes away your servers, your friends’ servers, the

servers of everybody in the same hosting facility. The servers

192

201

<para>

193

202

No. The server only gives out the passwords to clients which

194

203

have <emphasis>in the TLS handshake</emphasis> proven that

195

they do indeed hold the OpenPGP private key corresponding to

196

that client.

204

they do indeed hold the private key corresponding to that

205

client.

206

</para>

207

</refsect2>

208

209

210

<title>How about sniffing the network traffic and decrypting it

211

later by physically grabbing the Mandos client and using its

212

key?</title>

213

<para>

214

We only use <acronym>PFS</acronym> (Perfect Forward Security)

215

key exchange algorithms in TLS, which protects against this.

197

216

</para>

198

217

</refsect2>

199

218

215

234

</para>

216

235

</refsect2>

217

236

218

219

<title>Faking ping replies?</title>

237

238

<title>Faking checker results?</title>

220

239

<para>

221

The default for the server is to use

240

If the Mandos client does not have an SSH server, the default

241

is for the Mandos server to use

222

242

<quote><literal>fping</literal></quote>, the replies to which

223

243

could be faked to eliminate the timeout. But this could

224

244

easily be changed to any shell command, with any security

225

measures you like. It could, for instance, be changed to an

226

SSH command with strict keychecking, which could not be faked.

227

Or IPsec could be used for the ping packets, making them

228

secure.

245

measures you like. If the Mandos client

246

<emphasis>has</emphasis> an SSH server, the default

247

configuration (as generated by

248

<command>mandos-keygen</command> with the

249

<option>--password</option> option) is for the Mandos server

250

to use an <command>ssh-keyscan</command> command with strict

251

keychecking, which can not be faked. Alternatively, IPsec

252

could be used for the ping packets, making them secure.

229

253

</para>

230

254

</refsect2>

231

255

</refsect1>

360

384

</para>

361

385

</refsect1>

362

386

387

388

389

<xi:include href="bugs.xml"/>

390

</refsect1>

391

363

392

364

393

365

394

<para>

393

422

394

423

395

424

<term>

396

<ulink url="http://www.recompile.se/mandos">Mandos</ulink>

425

<ulink url="https://www.recompile.se/mandos">Mandos</ulink>

397

426

</term>

398

427

399

428

<para>

Older »